Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08/03/2024, 01:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f3976d94b40d31fc49e46477679a31d674cc1cb3cc20af122a03809c4dfb373c.dll
Resource
win7-20240215-en
windows7-x64
17 signatures
150 seconds
General
-
Target
f3976d94b40d31fc49e46477679a31d674cc1cb3cc20af122a03809c4dfb373c.dll
-
Size
120KB
-
MD5
dc3f80d788dc9ed7e853500cb434a3dc
-
SHA1
8b992a3c39eff3bc4c841414df9f76c2c8d2586c
-
SHA256
f3976d94b40d31fc49e46477679a31d674cc1cb3cc20af122a03809c4dfb373c
-
SHA512
613640cbea5f198e7b20f09974842dc0c1b62e876a9adda6ea2d3ca9ac18ffd5ab4b024584fdbb951b0d25cb9731d2af69fc990b519633e932e1b1c2a22eaf55
-
SSDEEP
1536:J2qA6JtJpQ1P0x27nmyIm8PG8f75Lb2f8i3mhvOUIdwuhrnay0I2Wiw:J2qAuziPGZP9lmhMvRIdlh2LI2w
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f761dec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f761dec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f763997.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f763997.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f763997.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761dec.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f763997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f763997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f763997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f763997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f763997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f763997.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 24 IoCs
resource yara_rule behavioral1/memory/2720-12-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-14-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-15-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-16-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-19-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-21-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-24-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-28-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-32-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-40-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-60-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-61-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-62-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-63-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-64-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-66-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-82-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-83-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-85-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-87-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-100-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2720-159-0x00000000006C0000-0x000000000177A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2456-163-0x0000000000900000-0x00000000019BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2456-204-0x0000000000900000-0x00000000019BA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 30 IoCs
resource yara_rule behavioral1/memory/2720-11-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2720-12-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-14-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-15-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-16-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-19-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-21-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-24-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-28-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-32-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-40-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2564-54-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2720-60-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-61-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-62-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-63-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-64-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-66-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2456-81-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2720-82-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-83-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-85-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-87-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-100-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2720-157-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2564-158-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2720-159-0x00000000006C0000-0x000000000177A000-memory.dmp UPX behavioral1/memory/2456-163-0x0000000000900000-0x00000000019BA000-memory.dmp UPX behavioral1/memory/2456-203-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2456-204-0x0000000000900000-0x00000000019BA000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 2720 f761dec.exe 2564 f76230b.exe 2456 f763997.exe -
Loads dropped DLL 6 IoCs
pid Process 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe 2908 rundll32.exe -
resource yara_rule behavioral1/memory/2720-12-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-14-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-15-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-16-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-19-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-21-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-24-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-28-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-32-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-40-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-60-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-61-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-62-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-63-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-64-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-66-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-82-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-83-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-85-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-87-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-100-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2720-159-0x00000000006C0000-0x000000000177A000-memory.dmp upx behavioral1/memory/2456-163-0x0000000000900000-0x00000000019BA000-memory.dmp upx behavioral1/memory/2456-204-0x0000000000900000-0x00000000019BA000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f763997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f763997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f763997.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f763997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f763997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f763997.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f763997.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763997.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f761dec.exe File opened (read-only) \??\K: f761dec.exe File opened (read-only) \??\N: f761dec.exe File opened (read-only) \??\P: f761dec.exe File opened (read-only) \??\E: f761dec.exe File opened (read-only) \??\I: f761dec.exe File opened (read-only) \??\M: f761dec.exe File opened (read-only) \??\Q: f761dec.exe File opened (read-only) \??\R: f761dec.exe File opened (read-only) \??\H: f761dec.exe File opened (read-only) \??\J: f761dec.exe File opened (read-only) \??\L: f761dec.exe File opened (read-only) \??\O: f761dec.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f761e79 f761dec.exe File opened for modification C:\Windows\SYSTEM.INI f761dec.exe File created C:\Windows\f76759d f763997.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2720 f761dec.exe 2720 f761dec.exe 2456 f763997.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2720 f761dec.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe Token: SeDebugPrivilege 2456 f763997.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2908 2860 rundll32.exe 28 PID 2860 wrote to memory of 2908 2860 rundll32.exe 28 PID 2860 wrote to memory of 2908 2860 rundll32.exe 28 PID 2860 wrote to memory of 2908 2860 rundll32.exe 28 PID 2860 wrote to memory of 2908 2860 rundll32.exe 28 PID 2860 wrote to memory of 2908 2860 rundll32.exe 28 PID 2860 wrote to memory of 2908 2860 rundll32.exe 28 PID 2908 wrote to memory of 2720 2908 rundll32.exe 29 PID 2908 wrote to memory of 2720 2908 rundll32.exe 29 PID 2908 wrote to memory of 2720 2908 rundll32.exe 29 PID 2908 wrote to memory of 2720 2908 rundll32.exe 29 PID 2720 wrote to memory of 1080 2720 f761dec.exe 18 PID 2720 wrote to memory of 1088 2720 f761dec.exe 19 PID 2720 wrote to memory of 1156 2720 f761dec.exe 20 PID 2720 wrote to memory of 1508 2720 f761dec.exe 23 PID 2720 wrote to memory of 2860 2720 f761dec.exe 27 PID 2720 wrote to memory of 2908 2720 f761dec.exe 28 PID 2720 wrote to memory of 2908 2720 f761dec.exe 28 PID 2908 wrote to memory of 2564 2908 rundll32.exe 30 PID 2908 wrote to memory of 2564 2908 rundll32.exe 30 PID 2908 wrote to memory of 2564 2908 rundll32.exe 30 PID 2908 wrote to memory of 2564 2908 rundll32.exe 30 PID 2908 wrote to memory of 2456 2908 rundll32.exe 31 PID 2908 wrote to memory of 2456 2908 rundll32.exe 31 PID 2908 wrote to memory of 2456 2908 rundll32.exe 31 PID 2908 wrote to memory of 2456 2908 rundll32.exe 31 PID 2720 wrote to memory of 1080 2720 f761dec.exe 18 PID 2720 wrote to memory of 1088 2720 f761dec.exe 19 PID 2720 wrote to memory of 1156 2720 f761dec.exe 20 PID 2720 wrote to memory of 2564 2720 f761dec.exe 30 PID 2720 wrote to memory of 2564 2720 f761dec.exe 30 PID 2720 wrote to memory of 2456 2720 f761dec.exe 31 PID 2720 wrote to memory of 2456 2720 f761dec.exe 31 PID 2456 wrote to memory of 1080 2456 f763997.exe 18 PID 2456 wrote to memory of 1088 2456 f763997.exe 19 PID 2456 wrote to memory of 1156 2456 f763997.exe 20 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761dec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f763997.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1080
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1088
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1156
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3976d94b40d31fc49e46477679a31d674cc1cb3cc20af122a03809c4dfb373c.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f3976d94b40d31fc49e46477679a31d674cc1cb3cc20af122a03809c4dfb373c.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\f761dec.exeC:\Users\Admin\AppData\Local\Temp\f761dec.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\f76230b.exeC:\Users\Admin\AppData\Local\Temp\f76230b.exe4⤵
- Executes dropped EXE
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\f763997.exeC:\Users\Admin\AppData\Local\Temp\f763997.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1508
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD51c7c89d56fcbe05f75b66b59389018ee
SHA130017c93f370182fa7f77ed35867c63f50ddd63b
SHA256a16468defe033b98c7b27cd9fe3d3308ceccb31133d3e9ef117475b7c888de31
SHA5124854daabebe1df3855ecc4fa093dce6ce882ea892c499e60baa8b31f7ed2b42b61eb6e3fd11ac96af426f5c325d49a2602cd3a687aa53ee7a87ae6d79d55f854
-
Filesize
97KB
MD5e298f0488456d182dc030d8bcc238fa5
SHA171cb894dc32976bede9713b13f46eff0645ab5af
SHA256765b69ec03ae392e2464cf51970225d041962cda2bc549c1bc773c89018500ac
SHA512c2af0159b02df9c747eedfe4f6d39acb90d7302177c577b4a48146295568f1a9dbe1ed27352148cf657cfe939b2362dc5fe791782f6d99b41bf19f19dbfcd45c
-
Filesize
61KB
MD5b3b9b3a60a75eb8a4684eafbe3ddf891
SHA1d634ebcaca9a70e6b845c09ace97c58e87d67b16
SHA256eb702081a0e0d192756a4e1da482e57095ed84de6751a6ccd7d76350e19eefe9
SHA51274f62487934e6896a7be6761e12db34ed765114292b0d576c4a072eb4bc43cd842d363281abc0a29f9dbb5118826ec8cd20b462073b09690be5093eef7a807b2